Keywords

1 Introduction

Intelligent Connected Vehicle (ICV) is a new generation of vehicle which is equipped with advanced in-vehicle sensors, controllers, actuators and other devices, and integrates modern communication and network technology to realize intelligent information exchange and sharing between vehicles and X (people, cars, roads, backgrounds, etc.) [1]. The Chinese government said it is paying great attention to the development of intelligent connected vehicles and considers the sector a vital way to ease the burden on transportation, energy consumption and environmental pollution [2]. By 2020, the market scale of the country’s intelligent connected vehicles sector is expected to exceed 100 billion yuan [3]. However, these rapid changes to enhance the intelligent and connected functions of vehicles are having a serious effect on their security. Specifically, the Internet penetrates into the modern vehicles [4]. Increased connectivity often results in a heightened risk of a cybersecurity attack [5,6,7], such as Denial-of-Service (DoS) attack, man-in-the-middle attack and Structured Query Language (SQL) injection. In 2015, preeminent hackers Charlie Miller and Chris Valasek dominated headlines with their landmark hack of a Jeep Cherokee [8]. In 2016, team of hackers take remote control of Tesla Model S from 12 miles away [9]. In 2017, Keen Lab discovered new security vulnerabilities on Tesla motors and realized full attack chain to implement arbitrary CAN BUS and ECUs remote controls on Tesla motors with latest firmware [10]. In 2018, researchers hacked BMW cars and discovered 14 vulnerabilities [11].

Cars are getting more and more connected, which means more electronics plus access to the internet. Which, in turn, means more opportunities to hack cars remotely. For the security, generally speaking, the measures of protection against malicious attacks are little known to automotive manufacturers and suppliers. Modern cars need to be developed with security in mind, and that is something that has to be done by security professionals, whereas the Original Equipment Manufacturers (OEMs) lack the ability to comprehensively evaluate the security levels of their cars. Automotive information security can be guaranteed in many ways, such as security standards, regulations and test evaluation methods or public announcement system. As one of the most direct and effective means, the test evaluation method could provide a security process framework and guidance to help OEMs identify and assess security threats and design security into cyber-physical vehicle systems throughout the entire development lifecycle process. However, due to the lack of relevant standards, there are relatively few test evaluation methods for automotive information security in the industry, while most of these methods focus on testing the safety of cars [12, 13].

In this paper, a novel Intelligent Connected Vehicle Attack and Defense (ICV-ISAD) test evaluation method is proposed to address the test evaluation issue of automotive security. The article is structured as follows: in the following Sect. 2 it studies the problem and object statement under investigation from the two aspects of ICV’s classic system architecture and the main attack surfaces it faces. In Sect. 3 we introduce the test methodology of ICV-ISAD test method from three stages. In Sect. 4 there are some experimental results and analyses for ICV-ISAD test method. After the overall outlook for above, the last section concludes this article with a summary.

2 Problem and Object Statement Under Investigation

While automobile manufacturers have improved the intelligent and connected functions of their automobiles a lot during the past decades, adequate protection measures for vehicle security are not available yet [14]. Moreover, vehicle security related incidents can also affect the safety of automotive systems [15]. All of this interplay between intelligent and security clearly motivates automotive security as a research topic with increasing relevance and importance. Also, it motivates us to explore a test method to evaluate automotive security.

For this section, it serves as a research basis of security test evaluation method analyzing the current state-of-the-art ICV’s classic system architecture and the main attack surfaces it faces, respectively.

Fig. 1.
figure 1

Intelligent connected vehicle classic system architecture

Full size image

2.1 Classic System Architecture

The object under investigation is an ICV system consisting of actuators, sensors, and all kinds of embedded ECUs (Electronic Control Units) that are connected with each other through different busses, such as CAN bus, FlexRay, Ethernet and MOST. To investigate the security of ICV more clearly, we develop an ICV’s classic system architecture that consists of multiple functional modules, such as Gateway, Telematics Box, In-Vehicle Infotainment, Body Electronic Module, Chassis Controller and Powertrain Controller. It is illustrated in Fig. 1. Specifically, the Classic System Architecture can be clearly seen that the OBD and USB interface can provide direct contact physical attacks, while the Wi-Fi and Bluetooth may be used to attack the ICV’s system remotely. Besides, Gateway plays a vital role in the system, which has close ties with many units of the car. Furthermore, successful exploitation of the CAN vulnerability on an automobile with this classic system architecture may allow an attacker with physical access and extensive knowledge of CAN to reverse engineer network traffic to perform a Denial of Service (DoS) attack disrupting the availability of arbitrary functions of the car [19]. In the following section, we will do some research on security test evaluation method based on this ICV’s classic system architecture.

Fig. 2.
figure 2

Attack surfaces that ICV faces

Full size image

2.2 Attack Surfaces

The intelligent connected vehicle has a complex system with many embedded Units. With many intelligent technologies being introduced into vehicle, the threats of malicious attack of automotive security are gradually increasing and the problems of information security are increasingly highlighted. It is not difficult to imagine that automobile manufacturers cannot come up with a strong security system for protecting vehicle networks unless they are very well aware of the attack surfaces that an automobile is facing and have a clear understanding of the existing vulnerabilities. Before helping them solve this puzzle, we first need to analyze the main threat surfaces ICV faces at present. Based on the ICV’s classic system architecture being presented in Fig. 1, in this section, there is an introduction of the attack surfaces threating ICV’s security. An illustration of these attack surfaces is shown in Fig. 2. The details of these seven attack surfaces are as follows.

Telematics Box (T-Box). Telematics Box is an electronic unit that integrates all kinds of chips, such as 3G/4G chip, wireless module, communication module, microcontroller (MCU), System on a Chip (SoC). It can be used to the interactive communication between the vehicle and the cloud-platform and connect with the cellular communication networks. In addition, some T-Boxs have the function of tracking with various satellite constellations (GPS, Galileo, GLONASS). As an important communication unit, T-Box’s security is critical for that of ICV. Therefore, hackers take it for granted that T-Box is one of the main breakthroughs used to compromise vehicles.

In-Vehicle Infotainment (IVI). In-Vehicle Infotainment is the centerpiece of the car’s sound and information system, which provides some direct user experience (UX) for car owners, such as music, applications, navigation. The IVI systems hack is possible and is a real concern [16]. The system is responsible for controlling some of the most vital functions of the car’s system. Specifically, IVI systems frequently utilize Bluetooth technology and/or smartphones to help drivers control the system with voice commands, touchscreen input, or physical controls, which exposes outside and provides a direct way to attack the vehicle.

Electronic Control Unit (ECU). During our research on attack surfaces for ICV, electronic control unit consists of all kinds of critical electronic units except T-Box and IVI, such as Central Computer (CEM), Engine Control Unit, Brake Control Module (BCM) and Remote Monitory System (RMS). All of these modules directly control the movement and behavior of the vehicle, and they can do harm to the vehicle once been attacked.

In-Vehicle Network (IVN). In-Vehicle Network is a general term for the internal network architecture of the car and mainly composed of various electronic modules and different types of buses, for example CAN bus, FlexRay, Ethernet, MOST and so on. All of the buses connects to ECU, T-Box and other critical components. IVN is the nerve center of the entire vehicle system and controls the normal operation of the car system. It is the last defensive line to protect the vehicle from being attacked.

Mobile Application (Mobile App). In this work, Mobile App is an automotive program or software application designed to run on a mobile device such as a phone/tablet, which can be used to control vehicle remotely. Besides, the source codes/files of app contain a great deal of privacy information and they can be reversed, recompiled or tempered. So its security plays a vital role in the field of automotive security.

Radio. In term of ICV information security, Radio refers to the technology of using radio waves to carry information in vehicle, such as sound and images, by systematically modulating properties of electromagnetic energy waves transmitted through space, such as their amplitude, frequency, stage, or pulse width. There are Wi-Fi, Bluetooth, Tire Pressure Monitoring System (TPMS), Remote Keyless Entry System (RKMS) and so on. For the security risks of radio, some hackers set up a radio listening station to find and decode hidden radio signals—just like the hackers who triggered the emergency siren system in Dallas, Texas, probably did [17].

Telematics Service Provider (TSP). In research about Telematics Service Provider’s security, it mainly serves as the cloud platform and some servers that are used to provide the services to the vehicles on the road, which plays a role in the connected car value chain centered on secure vehicle to cloud data management. Due to its close connection with the Internet, it has attracted the attention of many attackers and has become one of the most commonly used attack surface or path.

These attack surfaces related to vehicles exacerbate the problem of causing much information disclosure or compromising an entire in-vehicle network due to the lack of protective measures in the automotive pipeline (network) and other counterparts. Considering the interests of OEMs and users, they are the main objects used to study common car vulnerabilities and possible attack paths.

Fig. 3.
figure 3

ICV-ISAD test method architecture

Full size image

3 Test Methodology

Based on the ICV’s classic system architecture and seven attack surfaces it faces, in this section, a novel Intelligent Connected Vehicle (ICV) Information Security Attack and Defense (ICV-ISAD) test evaluation method is proposed and the design thoughts of test methodology are presented comprehensively. ICV-ISAD test method shows how to evaluate the information security of the car through testing method that aims to discover security vulnerabilities and threats as well as maps corresponding remediation measures. It is derived from the long-term large number of real automotive test experiments and is constantly optimized in the experiments. In this method, the implementation of the security evaluation realized from three stages, which are Threat and Risk Analysis, Test Execution as well as Remediation Measures.

3.1 Threat and Risk Analysis

Since the dependencies between the vehicle security and the design system architecture described in Sect. 2, there exists a lot of threats and risks for ICV’s system or network. In the first stage of ICV-ISAD test method, some threats and risks to the vehicle are considered, respectively. The threat analysis is a process to determine anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy the security of ICV. Table 1 shows an example of threats analysis. Risk analysis is designed to consider the potential for loss, damage or destruction of the vehicle security as a result of a threat exploiting a vulnerability. For an example of risks analysis, see Table 2.

Table 1. Threats analysis
Full size table
Table 2. Risks analysis
Full size table
Table 3. Test points
Full size table

3.2 Testing Execution

In the second stage of ICV-ISAD test method, we will start the testing execution based on the threat and risk analysis. As we can see from the Fig. 3, the stage describes four layers, labeled 1 to 4. Layer 1 is the lowest layer in this stage.

Layer 1: Test Baseline Layer. The Test Baseline Layer is the main component in the test execution stage. 335 test points, 733 test cases and 69 test tools are collected in this layer, which are the important part of ICV-ISAD test method. Test points serve as the idea and technical points for the specific implementation of the security test, which are derived from a large number of practical automotive experiments, taking into account the feasibility and applicability. It describes the research ideas and technical points that plays a vital role in the comprehensive security test of automotive components. Some examples of test points are shown in Table 3. Test cases are usually a single step, or occasionally a sequence of steps, to test the correct security behavior or functionality in the design of vehicle, features of objects corresponding to each test points, one part of which is shown in Table 4. Test tools are partly shown in Table 5, which offer the execution of security test and implement quick security analysis to vehicle system function, software binary code and communication traffic packet across multiple automotive units, etc. Many test tools incorporate automatic test capabilities to traversing and discover threats, vulnerabilities and other security problems from the tested objects.

Table 4. Test cases
Full size table

Layer 2: Strategy and Procedure Layer. In Strategy and Procedure (S&P) Layer, we elaborate the thoughts of test strategy and the flow chart of test procedure. The S&P Layer plays a role of bridge between the Test Library Layer and Test and Evaluation (T&E) Layer using for test planning and management. The test strategy is to build a practical test idea and test route based on the test points around a specific test object, such as IVN, ECU, IVI, T-Box, Mobile App, Radio and TSP. Table 6 takes Test Strategy of IVN’s Security for an example. The test procedure is a test logic based on test points and test strategies, given in the form of a flow chart. It covers major security test policies such as functional security test, static code analysis, reversing engineering and penetration testing. Test procedure is shown in Fig. 4.

Table 5. Test tools
Full size table

Layer 3: Test and Evaluation Layer. To address the evaluation problem of the security for ICV, the Test and Evaluation (T&E) Layer is deployed in third layer of Test Execution. It focus on evaluating the security defensive capability of vehicle based on the attack and defense technology. Test and Evaluation (T&E) is the process by which a system or components are compared against test points and test strategies according to test procedure. Figure 3 highlights the relationship among the Test Baseline Layer, S&P and T&E Layer. The results are evaluated to assess ICV’s security of architecture design.

Table 6. Test strategy for IVN’s security
Full size table

The Test and Evaluation (T&E) involves evaluating an automobile’s security from the component level to whole vehicle system as well as its integrated system. Components mainly refer to the units related to seven attack surfaces, such as IVI, T-Box and ECUs. Through black-box, gray-box and white-box testing, it analyzes the security of automotive systems (Fig. 1) to discover unknown vulnerabilities, threats and risks that the car faced based on the seven major attack surfaces (Fig. 2). In the overall execution process of Test and Evaluation Layer, it complies with test strategy and test procedure showed in the S&P Layer. Different test objects and different steps of the test will selectively call the corresponding test points, test tools and test cases in the Test Library Layer.

During the process of security test, Test Baseline Layer and T&E Layer work together under the connection of S&P Layer. For instance, in the security test evaluation of IVI, one of test points is the port security. And all of test process follows to the test procedure and is guided by the test strategies designed in T&E Layer. Specifically, the nmap in the test tools will be called firstly. Then its test cases corresponding to the port security in the test cases library is going to been matched. Finally the security test of port security will be implemented as follow steps:

  1. 1

    Use nmap to find all open ports.

  2. 2

    Test whether the opened ports are secure or not.

Layer 4: Information Security Database. The fourth layer is the information security database, China Automotive Vulnerability Database (CAVD) [18], which is built and operated by Automotive Data Center of China Automotive Technology and Research Center Co., Ltd. It is responsible for collecting the state of the art automotive information security data, such as vulnerabilities, mitigation measures and treatments. These data are mainly derived from the test experiments based on the attack and defense technology and are processed through verification, review, assessment and classification.

Fig. 4.
figure 4

Test procedure

Full size image

In addition, as the number of the vehicle’s type and testing increases, the data of CAVD would be iterated and updated. Specifically, the vulnerabilities and threats found in the test are matched with that of the CAVD. For the existed vulnerabilities and threats in the library, the corresponding remediation measures or mitigations will be mapped and output from the CAVD. Otherwise for the unknown vulnerabilities and threats, some new protection schemes will be created and stored in the CAVD so as to map the corresponding vulnerabilities or threats next time.

3.3 Remediation Measures

The two stages for test evaluation method of ICV-ISAD have already been mentioned during the presentation of Sects. 3.1 and 3.2. Remediation measures are the output of ICV-ISAD test method. The output function is mainly implemented by the CAVD in the test execution stage. During the period of ICV-ISAD third stage, the basic remediation measures are identified in today’s ICV systems that provide some patch recommendations for vulnerabilities to launch attacks based on these test achievements in the first two stages. While this is done with a focus on the vulnerabilities aspects, it also addresses potential threat implications (like those summarized in Table 1), which can arise from successful exploits of vulnerabilities. The ICV’s vulnerabilities and threats found in the test are mapped with the CAVD to find the corresponding protection schemes.

Fig. 5.
figure 5

The number of vulnerability for different car

Full size image

4 Test Experimental Results

In our experiments, some different types of cars numbered 1 to 10 were selected to assess the performance of the proposed test evaluation method of ICV-ISAD. The vehicles participating in the experiment have intelligent and connected functions, which generally conform to the system framework shown in Fig. 1 and are faced with seven attack surfaces given in Fig. 2. The test experiment are aimed to evaluate the security of the whole vehicle and their components, such as IVI, T-Box, Mobile App, Radio and TSP, based on the black-box, gray-box and white-box testing.

4.1 Results and Analyses

During the experiments of ICV-ISAD test method, 106 automotive system security vulnerabilities are discovered. As can be seen from Fig. 5, the 10 cars used to the test all have security vulnerabilities, and the average number of security vulnerabilities per car is 10.6. In particular, the number of vulnerability in No. 1, No. 8, and No. 9 cars ranks in the top three.

Fig. 6.
figure 6

The number of vulnerability in different severity level

Full size image

For further analysis, the severity of these vulnerabilities are assessed according to the rule in [19]. The results are shown in Fig. 6, where the bar chart informs us of the fact that there exists 4 critical, 11 high, 32 medium and 59 low vulnerabilities in these cars. The number of vulnerabilities with critical and high levels account for \(14.2 \% \) of the entire vulnerability, which have a high probability of being successfully exploited to compromise the vehicle remotely. Besides, the proportion of vulnerabilities with medium level is \( 30.2 \%\) in the entire vulnerability. However, once hackers have physical access to the vehicle, these medium vulnerabilities provide great possibilities of destroying the vehicle. Moreover, it can be clearly seen from Fig. 7 that the car’s vulnerability covers a large area. They are distributed to various components of the car to varying surface. Three units were found serious vulnerabilities, evolving two in T-Box, one each in Mobile APP and TSP. T-Box, IVI, APP, radios and TSP were discovered vulnerabilities with high level in varying degrees. All of these results indicate that these 10 vehicles have different levels of security risks.

Fig. 7.
figure 7

Vulnerability severity for different vehicle units

Full size image

4.2 Typical Vulnerabilities and Threats

In order to better illustrate the efficiency of the ICV-ISAD test method in automotive information security testing and evaluation experiments, we highlight several typical security issues found in the experiments as a result of ICV-ISAD test method, mainly introducing threats and vulnerabilities. Taking into account the privacy protection issues associated with the experimental results, we covered some sensitive information with mosaics.

Radio Vulnerability (Threat). In this paper, the research objectives of radio includes Wi-Fi, Bluetooth, GPS, Wireless Key Fob and Tire Pressure Monitoring System (TPMS).

Fig. 8.
figure 8

SQL injection

Full size image

To evaluate the security of key fobs by using ICV-ISAD test method, GQRX of test tools was called to detect the key frequency band of 315 MHz and 433 MHz at first. Then GNURADIO and USRP of test tools were called to capture and recorded the signal from the wireless key fob. Finally, the effect of the recorded signal was verified by a replay attack to test the security of wireless key fob. The results show that the replay attack is invalid for key fobs encrypted with rolling code, or else the replay attack can open the door and trunk. Specifically, the key fobs of No. 1 and No. 5 car have security risk for having no rolling codes, which can be replay attacked. During the evaluation of GPS security, we tried to cheat and temper the car localization by spoofing GPS signals using radio tools. The results show that it can be performed of GPS spoofing and tempered of the true automotive location if the car locate its position by GPS only, whereas it is difficult to do that in the condition of locating with Wi-Fi, 4G and GPS. In particular, the GPS of No. 1 and No. 3 car have the security risk of spoofing attack for positioning with GPS only.

SQL Injection. Based on the ICV-ISAD test method, when evaluating the TSP security of No. 4 car, we discovered a serious SQL injection vulnerability in one of the TSP’s URLs. Specifically, when we stitched the delay string \(AND \ SLEEP(5)\) after the one of the TSP’s URL, we found that the web page opened after the delay of 5 s, which indicated that its database have executed the spliced URL and it has time-based blind SQL injection. To further verify the vulnerability, we detected the address using sqlmap.py and found time-based blind SQL injection and union query SQL injection. Besides, a large amount of database information is exposed. As shown in Fig. 8.

Gateway Filtering Vulnerability (Threat). When using the ICV-ISAD test method to evaluate engine-related ECU security, we tested the effects of different ID signals on the vehicle by sending random data. The test results show that the signal corresponding to \(ID=350 \) would cause a sudden increase in car speed, as shown in Fig. 9. For further verification, the eight-byte bit data sent by ID of 350 was accurately analyzed. The result shows that the vehicle speed was constantly increasing when all eight bytes were FF, as shown in Fig. 10. The CAN protocol threat can be exploited to compromise the vehicle speed system once hackers have physical access to the vehicle.

Fig. 9.
figure 9

Speed control ID

Full size image
Fig. 10.
figure 10

Speed control by accurate ID message

Full size image

XSS Vulnerability. Under the test to No. 7 car by ICV-ISAD test method, the feedback communication packets of Mobile APP can be intercepted successfully by Burpsuite. Then we insert the constructed malicious JavaScript into the APP’s function of feedback and send it to the server. Through opening the XSS background receiver, we can receive the cookie (username, password) value returned after the malicious code is executed, as shown in Fig. 11. Even more striking, more user personal sensitive information exposed from the server database by further sending the JavaScript with the function of screenshot and reading the website source code again, as shown in Fig. 12.

Fig. 11.
figure 11

The cookie value returned

Full size image
Fig. 12.
figure 12

The exposure of user personal sensitive information

Full size image

4.3 Remediation Measures

In previous work, ICV-ISAD test method was used to evaluate the security of 10 ICVs and 106 vulnerabilities were discovered, especially several typical vulnerabilities and threats were analyzed. To further show its efficiency, in this part, we present some remediation measures or recommendations corresponding to the previous typical vulnerabilities/threats. All of these remediation measures could be mapped from the CAVD database of ICV-ISAD test method, as shown in Table 7.

Table 7. Remediation measures or recommendations
Full size table

5 Conclusion

In this paper, we proposed a novel approach to address the security evaluation problem for ICV based on the attack and defense technology. The proposed ICV-ISAD test method not only helps OEMs secure the car through vulnerability discovery, but also provides the specific remediation measures or recommendations that can be implemented in the vehicle with security risks. Specifically, we explored the ICV’s classic system architecture which presents the main automotive units, system buses, and mutual communication relationship, as well as we discussed seven attack surfaces that ICV faces by and large. Based on the classic system architecture and the seven attack surfaces, ICV-ISAD test method has been elaborated from the three stages of threat and risk analysis, test execution, and remediation measures. Also, a special focus has been put to the stage of test execution, which includes the main components and core technologies of ICV-ISAD test method. Experimental results of 10 vehicles security tests show that ICV-ISAD test method can effectively discover security vulnerabilities and threats to evaluate vehicle’s security. In addition, some remediation measures or recommendations could be mapped from the CAVD of ICV-ISAD test method to mitigate the corresponding vulnerabilities.